Project

General

Profile

Bug #6719

OpenVPN DNS Leak Windows 10

Added by Moritz Hofmann 7 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
08/16/2016
Due date:
% Done:

100%

Affected version:
All
Affected Architecture:

Description

Windows 10 DNS resolver always uses local DNS server, which defeats the point of --redirect-gateway / Road-Warrior scenario.

The DNS Servers provided by OpenVPN are not used.

https://community.openvpn.net/openvpn/ticket/605

Associated revisions

Revision 13ac08b8
Added by Jim Pingle 7 months ago

Add an option to push "block-outside-dns" to clients of an RA OpenVPN. Fixes #6719

Revision 01c2735c
Added by Jim Pingle 7 months ago

Add an option to push "block-outside-dns" to clients of an RA OpenVPN. Fixes #6719

History

#1 Updated by Jim Pingle 7 months ago

Did you try the suggested fix on the ticket you linked? Put this in your advanced server config box:

push block-outside-dns

We could add that to the exporter, either in all cases or as another checkbox option.

#2 Updated by Moritz Hofmann 7 months ago

I tried

push block-outside-dns pfSense & *setenv opt block-outside-dns* openVPN-Client

nslookup still tries to connect to local dns and gets a timed out. Maybe i missunderstood the ticket.

Modifying the metric of the local connection to a higher value than the vpn connection solves the problem but this isnt a good solution i think.

#3 Updated by Jim Pingle 7 months ago

All we could do is push the setting or add it to the config. Beyond that it's a Windows problem that isn't anything we can help.

I haven't tested this either way, but according to the ticket you should be able to push that so long as your client is running a current version of OpenVPN. Try uninstalling the OpenVPN client and then installing the latest version either from the export package or from the OpenVPN community downloads. Then try the test again. Pushing the option should be enough, you don't need to use the setenv bit unless you want to control it in the client directly and not push it from the server.

#4 Updated by Jim Pingle 7 months ago

  • Status changed from New to Assigned
  • Assignee set to Jim Pingle
  • Target version set to 2.4.0
  • Affected version changed from 2.3.2 to All

Ran some quick tests and both ways work so long as the client is current. With the option present, DNS queries only go across OpenVPN. Looks like ideally we could handle this both ways:

1. RA Server option to push block-outside-dns, checkbox next to the DNS settings with a note about it being specific to Windows 10 clients that leak DNS queries
2. OpenVPN Client Export Package option to add setenv opt block-outside-dns to the client configuration, with a similar note.

Non-windows clients and older clients will ignore the pushed option if they don't recognize it. Similarly, the setenv method is non-fatal if the client does not support the option.

#5 Updated by Daryl Morse 7 months ago

I use mullvad vpn on one of my PCs which is running windows 10. As long as you are using openvpn 2.3.9 or newer, it has the block-outside-dns feature, which uses WFP. It definitely works. If you invoke this feature, you should not experience dns leakage.

#6 Updated by Jim Pingle 7 months ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#7 Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Resolved

New options are being pushed correctly when selected.

#8 Updated by Jim Pingle about 1 month ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF